Shopping in the big swanky mall today, and I was watching the teenagers leaning over the railing looking down on the girls walking below them.  Of course, I’m thinking “teenage boys with a strategic position to look at teenage girls, uh huh. I remember that.”  Then I whip out my card to pay for a purchase at a kiosk, and the lady is entering my info into a Web page PoS on a laptop.  Typing in my card number, CVC2, etc.  I look back up at the teenagers and wonder…”do they have binoculars? How good is the zoom on that cell-phone camera?”

Are they checking out the cleavage of the young ladies, or are they shoulder surfing for CC#’s and PINs?  Very interesting.  And a little scary.

Branden Williams posted his opinions on Outsourcing Cashless Payments recently.  He has an opinion and isn’t afraid to share it with us.  Tell us how you really feel, Brando!

So it tickled my schadenfreude when Team Cymru posted a great news article about several restaurants in LA and MS suing their PoS vendor for non-compliance.

So whats the point, besides a lot of linking to higher ranked sites to drive my placement?

1. I agree with Branden 100% – core competencies are everything.  If you sell magic beans at the flea market, you shouldn’t be writing your own payment card security app’s.  Among other things.
2. If When you outsource your cashless payments, YOU GET WHAT YOU PAY FOR.
3. Paying for independent, 3rd party verification is probably a Good Idea™.
4. It can’t *hurt* my page ranking, can it?

My rule of TANSTAAFL* -

You can have Quality, Inexpensive, and Rapid work…but only two of those three factors will apply.

• Good work fast, but not cheap.
• Good work cheap, but not fast.
• Fast work cheap.  Yeah, I don’t think so.

* Ok, so I’m not the first one to say this.

/* UPDATE */ – Dec 3, 2009 @ 19:47

Ok, so here it is three hours later and I realize “Doy! I didn’t explain ‘TANSTAAFL’”
: There Ain’t No Such Thing As A Free Lunch

Following on from my work with gathering statistics from the Honeypot systems that I run I have released a limited alpha of a new script/tool that I am working on. The tool provides access to common result sets from the sqlite database, without the requirement for remembering the database architecture  and entering lengthy SQL statements by hand.

Disclaimer first: the tool doesn’t do anything outrageously new, and most of the SQL queries have been borrowed from Markus’ post on SQL logging with Dionaea when the feature was first introduced. However I have found the script makes my analysis of the honeypot logs simpler and quicker, and I’ve a positive reaction from a limited few that have had a copy of the script before this post. Hopefully it will be of use others.

Usage is relatively simple, shown below:

Dionaea database query collection
Author: Andrew Waite – www.InfoSanity.co.uk

Inspiration from carnivore.it article:

http://carnivore.it/2009/11/06/dionaea_sql_logging

Usage:
/path/to/python dionaea-sqlquery.py –query #
Where # is:
1:      Port Attack Frequency
2:      Attacks over a day
3:      Popular Malware Downloads
4:      Busy Attackers
5:      Popular Download Locations
6:      Connections in last 24 hours

The script can be found here. There is still a good level of work to be undertaken to tidy up the output, potentially allowing for output in different formats, and I also want to add additional and more complex queries as time progresses. If you have any success,  failure, comments or suggests please let me know.

– Andrew Waite

James DeLuccia has an insightful discussion on his Payment Card Security & IT Controls Explained weblog about a recent leak of the British Security Defense Manual.  Others have covered the leak and summarized the info; I shan’t bore you with those details.  I want to discuss the excellent points James makes, and offer some insight into how these things are get sold as a Good Idea™.

- one -

During my last consulting gig one of my PCI clients was a large co-lo service delivery provider catering to very large financial institutions.  This company often provides similar or  identical services to competing entities, so they maintain amazing processes, rules, and orders of separation for the teams and documents related to the individual clients.  They also have an impressive Legal department. *ahem*

Under the obligatory NDA, I had complete access to their security policies, processes, and personnel directly related to my current assessment.  But only in person, on their premises, in the presence of their assigned personnel.  Until the engagement was completed.  Later on, a new employer charged me with writing a security policy from scratch.  Remembering the excellent quality of the policies this client had, I asked them if I might get a sanitized copy, or even just some excerpts, to use as a baseline.  I was denied.  Politely, friendly, and nicely, but definitively denied.

It was surprising, but after some reflection not entirely unexpected.  This company is charged with managing critical systems, proprietary solutions, and secrets for their clients.  Information sharing is *not* their norm, and their customers pay for that specific trait.  Good enough for me.

- two -

In the US Govt. one hears constant security warnings about OPSEC.  In a nutshell OpSec (Operations Security) is about identifying and protecting your critical information in an effort to deny The Adversary any intelligence about your capabilities and operations.  If the sales rep for an up-and-coming niche supplier starts travelling to Woonsocket, RI and eventually opens a local office, that may or may not seem important.  But it points to the possibility that this supplier is preparing for significant business with CVS/pharmacy.  Not that valuable, you say?

Imagine if it was Bentonville, AR or Groton, CT, homes to Wal-Mart and Pfizer, respectively.  That could be very big news to the right competitor or investor.  Now apply this sort of deduction to military unit deployments, ranking government personnel travel itineraries, etc.  Suddenly the stakes get quite a lot higher.

Unfortunately, the OPSEC mindset is easily misinterpreted to mean “Obscure Everything Possible” instead of “Protect Critical Information”.  Fueled by the mania that also requires we dispose of nail clippers before boarding air-flights, it quickly become obvious that I could let you read the rest of this post, but then I would have to kill you.  Just kidding.  They are not watching you.  Really.

- three -

We feel safer when mystery shrouds our fortifications, but in reality countermeasures are often effective simply as deterrents, long before they are tested as defenders of the infrastructure.  As a closing example I point to The Club.

This device is a highly visible deterrent and a near insurmountable obstacle for the ill prepared amateur.  But a determined car thief with a hack saw can cut away a piece of the steering wheel and remove The Club in a short time.  This requires a few things: correct information, appropriate tools, and skill (or luck).  So does that make The Club worthless?  That all depends…do you own one of the 10 most stolen vehicles in America?  Do you really think $50 is enough to protect a $20,000+ vehicle?

- fin -

We humans seem to be obsessed with secrets and exclusive information.  How else can we explain the extremely broad appeal of the Dan Brown books?  Historical-fiction mysteries, bordering on heresy for some, are hardly the “Big R” shoppers fare.  Yet there he is at the checkout next to the turkey jerky and copenhagen.

Hiding the policies and processes by which we function is rarely the best solution; in fact it often invites a false sense of security.  The specific details of countermeasures in place, how they are configured, and where they overlap is intelligence we don’t want our adversaries to have.  Policies that are validated and available for public review are good for security, just like cryptographic algorithms.  Hiding behind security rules and secrecy laws works sometimes, but not always, and it never lasts.

Last week I had the pleasure of being asked to speak at Northumbria University, presenting to students of the Computer Forensics and Ethical Hacking for Computer Security programmes. As I graduated from Northumbria a few years ago it was interesting to come back to see some familiar faces and have a look at how the facilities had developed.

Despite the nerves of having to speak in front of a crowd I really enjoyed the event, especially as the other speakers were excellent and I enjoyed their sessions. The event kicked off with Dave Kennedy, a soon to retire member of Durham Police’s computer crime unit. Dave’s talked about his personal experience with a couple of high profile cases, explaining some of the groundwork and behind the scenes activity that isn’t known to the general public. I found the information interesting; but also disturbing, given the nature of the material that is handled by Dave and his department I can safely state that I wouldn’t want to have much experience in the area.

Next up was Phil Byrne, an internal auditor for HM Revenue and Customs (HMRC). For those that don’t know, HMRC were/are at the centre of one of the UK’s largest data loss stories in 2007 after CDs containing approximately 25 million child benefit records were sent, unencrypted, by standard post and did not reach their intended destination (some backstory here). Phil talked openly about the incident, discussing both the incident itself and the changes made in response. One of Phil’s comments has stayed with me (if I’m mis-quoting someone let me know):

If you put people into the process, something will go wrong at some time

Third to the stand was Gary Witts, owner of a manage services company specialising in on-line backups. The talk was very indepth and had some interesting content, but from my perspective I felt it was more of a sales pitch than a technical discussion of the secure backup’s place within a security standing.

I took the fourth and final slot of the day, which left me with the unenviable position of being between around 100 students and the pub, which didn’t help my usual rapid-fire presentation style. My presentation took a different focus from the previous sessions, discussing some of the real-world security incidents that can regularly be encountered, and some advice on handling the incidents in question. I also discussed my findings from honeypot systems, introducing a less common method for monitoring an environment for malicious activity. Assuming the feedback I’ve recieved is genuine the presentation seems to have been well-recieved.

From a student’s perspective; Tom was in the audience and has been writing up his take on the event in a series of blog postings. Tom also recorded the talks, for any one interested a direct link to my session is available here.

– Andrew Waite

The team from Offensive Security have just announced the opening of explo.it (re-directs to exploits.offensive-security.com, just more memorable). The site is designed as a successor to milw0rm. If you’ve ever browsed the milw0rm site the layout will be instantly familiar.

I think this is great news for the infosec community, not only does the OffSec team always produce high quality output, but it helps provide some stability in the wake of milw0rms recent uncertainty.

At this point the site’s content volume is growing rapidly, when I looked this morning the archives exploits numbered around 9000, already it has reach 10000+, and a refresh of the front page has this number increase a good percentage of the time.

One feature of the site that I do like is a link (where available) to the vulnerable version of the application or code. I believe this will make testing much easier as it removes the need to trawl the web for an often unsupported and unavailable old version of an application. I really hope that this feature will become popular and all/most of the published exploits will link to a download location for retrieving the vulnerable code where possible.

Happy exploiting (in your lab, obviously)

– Andrew Waite

I’ve recently had the pleasure of talking with Leon van der Eijk which resulted in me getting the opportunity to review an article he had been working on. The focus of the article is to identify and collect malware samples from running processes within volatile memory. Given my predilection for malware collection and analysis Leon correctly guessed that I would enjoy the article, which does a great job of describing a method for collecting and analysing malware (and other files and processes) from RAM on a live Windows system

Leon’s method utilises Meterpreter’s memdump.rb script to collect the a snapshot of an infected system’s memory, then utilises Foremost to carve up the collected memory image into individual files which can then be analysed as normal. As the article has just been published today I won’t try to improve on the work already, but I would suggest giving it a read here.

My own forensics skills aren’t yet up to the level that I would like, but I was able to replicate Leon’s process relatively easily within my own lab environment, and without too many problems. This, along with my experience at Northumbria University last week (more later), has re-ignited my interest in improving my forensic skills, and has proved to me that some of the basic skills and techniques involved with the forensic process isn’t all black magic.

The article is definitely worth a read if you have an interest in either computer forensics and/or malware analysis. In case you missed it above, link to article: Carving malware from live memory. Keep up the good work Leon.

– Andrew Waite

Well I guess 60 Minutes made the INFOSEC news wires burn today as they reported on something I have been saying for some time now. Who’da thunk it, but our infrastructure is vulnerable, we are constantly under attack, and generally, the US is not at all prepared for an attack that could bring down the power.

Really? NO WAY!

See folks, I am not “completely” paranoid! Take it from the FBI guy, as well as McConnel who pretty much gave up the jewels in their interviews. See, what they had to say was to be unsaid by folks I know who have been sworn to secrecy. Guess perhaps all the “detail” given was done so for a reason? Perhaps to get someone’s ass in gear to appoint a Tsar?

Who knows.

All I know is that I sat there watching this and thinking;

“Who DIDN’T know this?”

I mean really, the attacks on Rio’s infrastructure were just a prelude as you might surmise from the report. Probing has been going on for some time and the Rio systems were a soft target. Our systems are just as porous and have been infiltrated for some time. I mean what do you expect when chuckleheads start connecting SCADA to internet connected networks huh?

This report also made me think about my post in August about the EMP threat that the government seems to suddenly taken a real interest in this last year. All this time they have known about the vulnerabilities and have done nothing to remediate them. Add to this, as the veiled reporting intimated in last nights piece, that much of the hardware that runs and regulates our grid is made in China! It’s not off the shelf kind of stuff and were we to have an epic cascade and failure, it would be some time before we could get new systems from China. Time that could amount to a year at the least.

So the big question is what are we doing here? The “we” being our government. As you could see from the report, the senate told the power companies to start remediations and they outright lied to congress about their remediations. Remediations that NEVER happened.

Trust us, we’re your friendly power company!

Right.

Oh well, I guess its time for you all out there to start thinking about getting your supplies together. As McConnell said it:

“I’d do it during the winter, I’d hit the northeast”

Say, it’s almost winter…. Oh my… And we don’t have a John McClaine to save us.

60 Minutes: Sabotaging The System

EDIT: According to Wired a certain sources are saying that it was not a hacker or hackers that caused the outtage…

SAO PAULO, Brazil — A massive 2007 electrical blackout in Brazil has been newly blamed on computer hackers, but was actually the result of a utility company’s negligent maintenance of high voltage insulators on two transmission lines. That’s according to reports from government regulators and others who investigated the incident for more than a year

Wired Article

Hmmm well, all I have to say is “gee, really.. I am sure that the government of Rio would love to admit they had a power DoS by hackers” But.. it’s plausible… Kinda like a downed tree limb causing the whole of  NYC being dark…

While surfing the intertubes today I came across this little piece of OPSEC FAIL on the DOE.gov site. I believe it is a planned site per the document, but, this is rather detailed even for a plan to just be out there for any Jihadist to download.

This brings up the whole OPSEC issue. Too many places just fail to understand the precepts of OPESEC even within the rarefied air of the DOE where super mental genius’s work on the next generation transwarp drive. It seems especially these folks fail to understand the needs for secrecy.

Of course looking toward the private sector, I see way too many places that fail to comprehend OPSEC never mind try to implement and enforce the rules surrounding it to protect their data.

Even defense contractors… Now there’s a scary thought huh?

Oh well.. Lets just hope the next wave of homegrown jihadi’s can’t read or use Google.

… Now where is that zombie apocalypse we were promised?

I’d guess this won’t be breaking news to anyone as it was always going to generate a buzz once announced, but for anyone who has missed today’s revelations; Metasploit has been acquired by Rapid7 with HDM and Egypt joining the company.

Since the news broke the Metasploit IRC channel (#metasploit, on irc.freenode.net) has been alive with conversation and debate, some good wishes for the team’s future, and others concerned by the future of the project. One aspect that has been stated by all parties is that the Metasploit framework is to remain open source. The blog posting released by Rapid7 attempts to allay any fears or concerns that may be created by the news.

As no one can see the future it is impossible to determine if the move will be a boon or problem for the industry as a whole, or what lies in store for the future of the framework, I won’t try to comment, especially as those better placed than me seemed as in the dark as the rest of us.

Congratulations to HD Moore and the team; regardless of the future, the work they have put into the project has been of great assistance to the community, and provided freely at the expense of free time. Given past history I’ll trust that the project will continue to assist the community as it has previously.

Thank you for your efforts to this point.

–Andrew Waite

gahhh, why wont wordpress allow me to use scripts?

I understand the security implications, but rest assured wordpress there are plenty of other 0-days I am sure you have yet to secure. We all know the only reason that last scripting incident came back to bite you, is because you have so many users that dont realize the consequences of their actions.

(i.e. clickthroughs, CSRF, etc.)

>rant ended<

It’s not simply that we have empirical evidence suggesting that passwords are easy to crack; neuroscience has indicated that the human brain simply doesn’t perform well at free-associating text that, on its own, has little inherent meaning. As one of the papers cited puts it, “the multiple-password management crisis [can be viewed as] a search and retrieval problem involving human beings’ long-term memory.” And, although our long-term memory for images and words that we’ve assigned meanings to is quite good, we don’t do as well with passwords, which (ideally, at least) should look like a near-random string of characters. It’s another challenge entirely to remember which password to associate with a specific account.

Full Article Here:

Well, there you have it. The human brain just can’t handle complex passwords? Really? Uhhh How about this theory in its place;

“PEOPLE ARE RAPIDLY BECOMING SLOTH LIKE LUMPS OF STUPID”

… Yeah, now I feel better…

So where were we… Oh yeah, evidently the human brain isn’t so good at linking random strings of data to login data needed to access systems. Interesting.. So this lump of grey matter is generally unable to do this well after thousands and thousands of years of evolution eh? Seems to me that through wrote memory as well as muscle memory I do just fine with complex passwords. Or is it that I am some sort of uber mench?

This only leads me back to the idea that the human condition really is just fat dumb and lazy and this is just a malaise we have created for ourselves. Let the empirical data of this “survey” be damned. What’s worse though comes in another passage later on:

One possibly disturbing development was noted: about seven percent of the respondents had become cynical about computer security, having decided that no amount of adherence to best practices would protect them from hackers. Fortunately, this group seemed to be just as good (or just as bad) about using best practices as the rest of the population.

This bugs me. Mostly because I know its all too true that many people, if they don’t really understand the precepts of infosec, will just not care or give up. They will instead if allowed, become the worst security threats to an environment through their sloth.

I see it every day this nonchalance… And every time I say we need to insure that things are done securely I get the look of:

“There he goes again”

Sheeple.

Ex-Ford employee held in data theft

Engineer charged with copying proprietary documents and trying to sell them in China

Bryce G. Hoffman / The Detroit News

The Justice Department charged a former Ford Motor Co. engineer with stealing company secrets and trying to peddle them to Chinese competitors.

Chinese-born Xiang Dong Yu — also known as Mike Yu — was arrested Wednesday at Chicago’s O’Hare International Airport when he tried to re-enter the country from China. The 47-year-old is charged with five counts of theft of trade secrets, attempted theft of trade secrets and unauthorized access to a protected computer.

According to a federal indictment unsealed Wednesday, Yu was a product engineer for Ford from 1997 to 2007 and had access to Ford trade secrets. Law enforcement officials say that, just prior to leaving the Dearborn automaker, Yu copied thousands of confidential documents, including what they described as “sensitive Ford design documents” and “system design specification documents.”

Full Story Here:

Ya know, is it me, or are we seeing more cases of industrial espionage from China lately? Hmmm, guess it’s just my imagination… NOT. So, this begs a question;

“Just how many more cases have there been that just never got caught on to?”

Now, I assume that Ford caught on to his espionage by either one of two scenarios;

Now, I would love to think that they had auditing measures in place and caught on to his taking of mass quantities of data by copying them to an external drive… But… Well, given what I have seen in many companies, this just isn’t as likely a scenario as one might suspect.

So, ask yourself this question.. Just how many companies out there that make important machines, or hold important data actually are performing the “due diligence” to protect their own IP from being stolen and placed in the hands of the likes of China?

My last post has insight into the collective mindset at many corporations. security has always been the first budget to be cut in bad times and even today, with all the threats in the environment, still the corps cut off their nose despite their face.

Now take this idea and apply it to the government. A place where turf wars are preventing proper securing of the space and laws are weak…

Good god we are screwed…

No wonder all of the “Cyber Tsars” keep quitting eh?

Just sayin…

Anyway, one has to wonder just how much of our data is in the Chinese hands by the likes of Mr. Yu and others like him… Perhaps we will never know because companies are just not able to, or willing to implement the right proactive remediations to stop them if not just track their data leaving their domains…

** EDIT ** Well in looking through some Google searches it seems that they caught Yu getting OFF the plane from Mainland China.. So.. OOPSIES, I guess Ford was not too proactive were they… Damage done.

Why is it that when a serious breach occurs, the executives panic and find the budget to spend extraordinary amounts of money to remediate the breach? Why is it that they seem to degrade a vital component in any business — the security of their data? Don’t they know that one serious breach can jeopardize the existence of their business and perhaps lead to criminal investigations? Why is it that many organizations just have one security executive with no staff and hardly any budget to work with as just a figurehead in the organization? Several states and the federal government, have enacted or are now enacting tough laws, some of which carry severe penalties should a serious breach occur, including requirements of complete public disclosure to all the victims associated with the breach.

Never mind the mountains of lawsuits that can put a company out of business. This is what’s going on — many companies are revolting, but the laws are being enacted, and ignorance is not bliss. Doing more for less is not the answer. It is not good business to put an organization’s assets at risk — particularly in this economy where security staffs are depleted and not valued. This is not an area where businesses should be doing more with less. They should be doing the opposite to ensure their survival.

At the federal level, top information security specialists have been saying for years that our current infrastructure is at grave risk. Serious breaches have since occurred, and the government is now scrambling. Most of the agencies have been mobilized, and at least four of the national laboratories are in an all-out effort to combat breaches and prevent future ones. Billions of dollars were budgeted to upgrade and secure the nation’s infrastructure, and why was this? Because the same pattern keeps repeating itself. Security is ignored or pushed lower in priority until a crisis erupts and then there is a scramble to correct the problem.

While I am still gainfully employed, I also can say I have seen first hand this “effect” in many places over my time in the field of information security. I can also attest that in this climate companies are still very much trying to do more with less including security. Though much of the time they instead choose “security through obscurity” or outright ignorance as their way ahead.

Frankly, unless the government creates and imposes laws and large fines for data loss all too many companies are willing to sign off on the risks of compromise even if they are high and just hope for the best. At worst, there are companies with CIO’s who are just not cognizant at all about information security and instead focus all their attention on the financial bottom line and “customer satisfaction” instead.

Still worse, imagine the CIO or the CSO who knows the dangers and is forced to or chooses to ignore them to save the company money. In the end though, they all are likely to feel the sting of the hackers’ keyboard as they steal their data and perhaps their reputations.

So why is it that these companies and C level execs just fail to see or blind themselves to the dangers and work toward remediate them?

Greed?

Sloth?

Inability to grasp subtle concepts like hacking?

I really wonder…

Full Story

Note:  Portions of this entry appeared in an unpublished case study I drafted on the DDoS attack on Pyrix, Inc. 

As Web usage and hacker attacks increase, it is important for small and rural libraries to reevaluate the vulnerability of their information systems.  Even relatively low-profile organizations can face security threats.  

Denial of Service or DoS attacks are a common type of hacker attack.  DoS attacks block  web sites by overwhelming them with illegitimate traffic.  They require little technical expertise to commit and are notoriously difficult to defend against.   Due to smaller IT staffs and security budgets, small libraries may be even more vulnerable than their larger counterparts.  Library directors should keep these increased risks in mind when preparing new security policy and/or budgeting for information security.

Here are some simple tips to help smaller libraries and other government and social organizations prepare for and respond to a DoS attack:

Along with support from a skilled information technology staff, these strategies can help small libraries mitigate and respond to this common type of computer attack.

Have you had experience with DoS attacks at your library?  Do you have other tips to help smaller libraries boost their Web security?  Share them in the comments section.

Not to beat a dead horse or anything, but c’mon Twitter. This is getting to be a bit much now, don’tcha think?

Mashable pointed out that Twitter is currently asking people not to change their usernames, passwords, or email addresses. Folks who do so may find themselves locked out of their accounts.

What a horrible behavior to reinforce. Don’t change your password – things might break! BE AFRAID OF TAKING A BEST-PRACTICE SECURITY MEASURE!!

Over the past couple of weeks, we’ve had outage after outage, problems with malware, and now this?

I definitely don’t think the Internet is falling apart, but social media service providers really need to start focusing on security if they’re going to survive. If people don’t feel safe using your service, they won’t. And that’s not a good thing for anyone.

So it seems that the OIG finally caught up wth DHS about their poor internet security. The OIG hired some consultants and poked the DHS.gov site and others. What came out was, well, they were rather weak on the security thing. This is nothing new, I have been googling around their stuff for some time now and in fact, they and often the LEO’s that they pass data too leak said data like a sieve much of the time. I cannot tell you how many documents end up on wikileaks because of their problems… Never mind how much they may have been hacked by foreign powers or the kiddies.

What makes me laugh the most is that they have redacted the report with yellow highlight but failed to remove the listing of all the sites that they audited! Hey kids! C’mon over to these here sites! They’re vulnerable!

PDF

I’ve had the good fortune to work with talented folks in my (short) time in Washington, since moving back East in 2002, particularly in the Intelligence Community and Department of Defense.  And one such fellow at DoD has been Bob Lentz, the outgoing deputy assistant secretary of Defense for information and identity assurance – the Chief Information Assurance Officer and equivalent to a private-sector CISO.

I gave an interview this afternoon to Federal News Radio (AM 1500 in the DC area, worldwide at www.FederalNewsRadio.com), on Bob’s tenure, and what will come next for DoD in the wake of his departure. You can read the news story about the interview here, or listen to the entire 15-minute interview as an mp3:

Shepherd interview on Federal News Radio, 10/13/2009

Not everything has gone perfectly, or even well, for Pentagon infosec during his tenure; we have been fighting several wars, declared and undeclared, real and cyber, during the past few years. It’s an unbelievably daunting mission, to secure the nation’s ability to defend herself and our most critical systems amid unrelenting attack.

But Bob has worked closely with the private sector on information security technological advances – he and I joined several leading Silicon Valley startup CEOs, leading-firm CISOs, and venture-capital entrepreneurs in the Information Technology Security Entrepreneurs Forum, or ITSEF.  He’s worked closely with DHS and NSA, including in the establishment of the Pentagon’s Cyber Command. He has also taken a number of counter-intuitive approaches, ranging from getting involved with Black Hat and DEFCON, to establishing jointly with the IC the Unified Cross Domain Management Office, or UCDMO. If you have the right credentials, visit the UCDMO SharePoint Collaboration Site (requires Intelink-U Access), or see their open web site at http://www.ucdmo.gov/.

This week Bob himself published a great “farewell column” in Government Computer News, “5 Key Challenges to DoD’s Cybersecurity.” The article includes policy advice for his successor and the Defense Department as a whole – but it is thoughtful advice that should be read by any CISO.  I’ll include his bullet-point list from the article: he writes, “If I had to list five of the biggest challenges that remain, my list would include”:

• The need to continuously harden the network, in this era of Web 2.0, cloud services, and increased mobile workforce and growing global requirements.
• The whole area of Supply Chain Risk Management. As the threat changes, we need to adjust as well, which includes rolling out technologies that inspect and secure the supply chain.
• Raising awareness across DOD and greater national security community on cyber resilience, so that commanders are prepared to operate in a contested cyber domain when communications are degraded or, worse, untrusted. The increased complexity of our technologies, coupled with our even greater dependence on them for mission success, make this an imperative.
• The necessity of education, training and workforce manning for critical IT/IA skill sets.
• And, again, the need to move to multi-factor and attribute-based identity assurance access for people, devices, data and applications.

That third bullet could be read as a provocative statement (which in Washington terms means admitting the truth): Imperfection, in DoD!  Military commanders are going to have to put up with “untrusted” communications systems in “a contested cyber domain.”  That’s the harsh reality, and military commanders are on the front lines in facing it. Bob Lentz’s successor will find his boots challenging to fill.

Share this post on Twitter

Email this post to a friend

It’s been an exciting few days here at Conformity after our recent GA announcement and the kickoff of the Enterprise SaaS Working Group yesterday.  We had a very lively, engaging debate on the key issues the group believes need to be addressed for SaaS and cloud applications to become ‘mainstream’ technologies in the enterprises.  The group featured a diverse set of executive perspectives from cloud vendors, thought leaders and practitioners, and included:

• Peter Coffee, Director of Platform Research, Salesforce.com
• Tom Fisher, VP of Cloud Computing, SuccessFactors
• Ryan Nichols, VP Cloudsourcing and Cloud Strategies, Appirio
• Steve Coplan, Senior Analyst, Enterprise Security Practice, The 451 Group
• Doug Harr, CIO, Ingres Corporation
• Scott Carruth, VP Information Systems, Initiate Systems
• Michael Amend, Director of Enterprise Architecture, Dell Inc.

A quick highlight of some of the discussion yesterday:

• PaaS/SaaS – which model ‘wins’ in the enterprise? While opinions differed, a common sentiment shared by the panel was that there’s not going to be ‘right answer’ for all organizations.  Depending on the industry vertical, business process or IT management model PaaS or SaaS could be the ‘right answer’, and in many situations organizations could have PaaS and SaaS offerings sitting side by side.   
• Private clouds – part of the answer or indicative of SaaS market immaturity? As with the PaaS/SaaS discussion a common theme was ‘it depends’.  The core advantage to SaaS and cloud delivery models is the ability to share resources – what part of the stack organizations decide they’d like to share will likely be driven primarily by security concerns and issues.  A likely scenario, as with PaaS/SaaS, is that different models will likely be adopted by different types of organizations depending on security and operational requirements.
• Enterprise SaaS adoption – when does it overtake on-premise? Two different perspectives were discussed around when SaaS will overtake on-premise apps in the enterprise.   A common belief of the group was that SaaS is winning in a majority of new deals in the enterprise today, with the perspective shared that 50-75% of enterprises would ‘flip the switch’ on cloud in some manner by approximately 2012.  Peter Coffee of Salesforce also shared his belief that total installed base for SaaS would outnumber on-premise apps by 2020, though there would also likely be 1-2% of the market that would be ‘holdouts’.
• Any applications that SaaS/cloud won’t be able to penetrate? If architected and deployed correctly, there are no perceived areas in which SaaS and cloud application models could not be leveraged with Peter Coffee of Salesforce , Tom Fisher of SuccessFactors and Ryan Nichols of Appirio all providing compelling examples of large scale, transaction intensive customer deployments.

The full recording of the webinar is available and can be access by clicking here.  Also, Ryan Nichols at Appirio had a great post on their perspective on our discussion topics here.

Please drop us an email as eswg@conformity-inc.com to be added to our mailing list, and to be notified of future Enterprise SaaS Working Group news and events.

We’re excited to announce today the general availability of the Conformity solution, which provides customers the first enterprise-class management platform for cloud applications and users.  The Conformity solution is designed to arm enterprises with the same level of visibility and control over on-demand applications as they’ve come to expect with traditional packaged apps.  With our solution, enterprises can now be confident bringing new cloud applications into their business environments, knowing there will no longer be compromises made in the areas of management processes, insight and control.  With today’s GA, enterprises can:

• Increase data security and reduce compliance risks
• Optimize license allocation and expenses
• Automate and streamline administration
• Expand and extend enterprise usage of SaaS and cloud applications

Specific capabilities of the Conformity solution include:

• User provisioning – provides centralized point of provisioning and deprovisioning of users accounts within cloud applications, and ongoing management of user permissions and authorizations.
• Role and profile management – enables organizations to centrally manage cloud application roles, profiles and permissions through normalized permission models, and maps policies to users and roles.
• Approval workflows – provides auditable cross-functional approval processes for users requiring new or amended access permissions, or role and profile changes.
• Directory integration – enables organizations to seamlessly synchronize Conformity’s user repository with on-premise directory services.
• Compliance reporting – provides reports required for effective preparation for audits for SOX, HIPAA, PCI and other regulatory mandates and standards.
• Usage analytics – provides visibility, analytics and reporting on cloud application and license utilization.
• Change management – enables archiving, management and recovery of application configurations and role models.

The Conformity platform provides templates, tools and workflow needed to manage all cloud applications in a customer’s environment.  Conformity also provides additional analytics, reporting and provisioning automation through integrations with the following leading cloud applications:

• Salesforce.com
• NetSuite
• SuccessFactors
• Xactly Incent
• Google Apps
• OpenAir
• QuickArrow

The Conformity platform also supports directory integration for Microsoft Active Directory, and is compatible with industry standards such as SPML, SAML and WS-Federation.

Please click here to read the full announcement, and stay tuned for more upcoming news!!!

Introduction

We all learn at a very young age to analyse – either consciously or unconsciously – other people’s body language and intonation. Research shows that about 60% of the time, we pay more attention to a person’s body language than what they are actually saying, and we use this information to draw conclusions about how truthful a speaker is being. These conclusions are vital in helping us avoid falling victim to scammers, fraudsters or anyone else trying to manipulate us. But fraud and deception aren’t just a threat in real life – a range of virtual scams have been increasing significantly on the Internet for some time now. This means we have to take a new approach to evaluating possible threats; there’s no body language or intonation involved in email or social networks, and generally we only have text and graphics to guide us. So does this mean that we can no longer rely on gut instinct?

This would appear to be the case, at least on the face of things. However, the Internet does offer other aspects which can be interpreted and compensate for the gut instinct we feel is lacking; however, for this to work, we need to learn what to watch out for. Cybercriminals and scammers are unlikely to reinvent the wheel, so once you’ve encountered a scam or threat once, and have learnt that it’s a scam, you can use this information in the future. This article therefore focuses on some typical examples, and explains how you can protect yourself. This article is primarily aimed at those who are new to the Internet, but who knows, maybe the examples given could also help Internet veterans learn a thing or two.

Classic E-mail Threats

If you’re new to the Internet, probably one of the first things you’re going to do is set up an email account. Not only do you want friends and family to be able to contact you, you’ll need a valid email address if you want to buy things online or sign up for forums or social networks.

Unfortunately, just as your mailbox at home can get crammed with advertising fliers which you never requested, your email address can also get filled with unwanted messages. Up to 89% of all emails sent are what is known as spam: messages you never asked for which offer you cheap credit, discount Viagra and a wide range of other products and services. These offers are in no way legitimate, and often the messages will contain links to websites which are infected with viruses, Trojans, or other nasty programs. You should delete the messages without reading, and then they won’t be able to damage your computer – the only thing you will lose is the time you spend deleting them.

It’s easy to say you should delete these emails, but sometimes they just look too tempting to throw out. Cybercriminals are smart: they’re particularly active around major holidays such as Christmas, Easter, and of course Valentine’s Day. The latter in particular is a golden opportunity for the bad guys – it’s traditionally the day where you can admit your feelings for someone without embarrassment, even if that person is just a distant acquaintance. So if you got an email on Valentine’s Day with the subject ‘I love you’, would you open it?

It’s not only holidays and hot topics that the cybercriminals make use of. The Internet is often described as the ultimate in entertainment media, and there are lots of sites dedicated exclusively to amusing articles, images and videos. We all love a bit of distraction, and cybercriminals play on this, sending messages with intriguing subjects like ‘Check out this funny video!’ or ‘Funny photo!’ But you should resist the temptation to open the file that’s attached to the message: it’s 99.99% likely to contain programs which can damage the data stored on your computer, spy on your online activity, and/or defraud you in some way. In her article, “Spam evolution: June 2009″, my colleague Tatyana Kulikova stated that 0.31% of all emails sent on the Russian Internet have malicious attachments. This might not appear to be a particularly high percentage, but given that 500,000 types of spam are sent every day, the total number of messages is going to be fairly large, especially when you consider that any one spam message will be sent to millions of email addresses.

Phishing

Probably one of the best-known scams is phishing. You receive an email which asks you to go to a site (the link is given in the email) and enter some personal information – this might be a password, a bank account number etc. The email might look as though it’s come from your bank, from eBay, from a payment system like PayPal etc. However, no matter how convincing the message might look, it’s a fake; if you click on the link and enter the information requested, cybercriminals can get hold of your data and use it for their own ends.

A lot of banks have now put additional security measures in place to combat phishing attempts, and this means that phishing emails which target the most widely-used banks are on the decline. However, this doesn’t mean that this type of scam isn’t being used anymore – it’s simply been modified to keep up with the changing times.

Phishing emails are an international phenomenon: a basic text gets translated into a range of languages, and an email is then designed to imitate the look and feel of a well-known bank or financial institution. Most of the effort goes into the design of the email, and the logos and colours used are often difficult to distinguish from a genuine communication. The text, on the other hand, is likely to be riddled with spelling and/ or grammar errors: an instant red flag. Additionally, emails that start “Dear customer” rather than using your actual name are a strong indication of a phishing attempt; these days, where even newsletters can be personalized, a legitimate communication is unlikely not to use your name. And finally, legitimate banks never request PIN numbers, TAN numbers or other sensitive information, and certainly not via email.

As mentioned above, it’s not just banks which can suffer from phishing attacks. Recently, a large number of phishing emails are designed to harvesting account data for online payment systems such as PayPal or auction sites such as eBay. Phishing mails make up 0.94% of all spam, and an incredible 60% of these messages target at PayPal. Phishing emails of this type often threaten with closure of your account, because allegedly it’s not been used for some time. To retain your account, the message says, you should log in; and of course, there’s a handy link provided in the email. If you click on it, you’ll see a page which looks like the site in question, and it asks you to enter your user name and password. Although it might look like the real thing, this website is a fake. You should never use links in emails which lead to a page where you’re requested to enter sensitive information. Use the bookmarks in your browser or enter the address yourself in the address line of your browser. Even if the link appears to be legitimate, JavaScript in the background can open a completely different address to the one displayed.

If you’re unsure if an email is valid or not, call the company in question directly or send them an email asking if the email is genuine. However, if you choose to contact a company via email, don’t just reply to the dubious message: check the company’s website for a contact address and use this instead. This ensures that your query goes to the company itself and not to an invalid return address used by scammers or spammers.

Who wants to be a money launderer ?

In the current economic climate, lots of us are looking for jobs, so news of vacancies is always welcome. Suppose you get a job offer via email, which promises a good salary for a job that allows you to work from home and that requires minimum time and effort. Even if you’ve already got a good job, the idea of making an extra €1,500 to €2000 each month is obviously appealing. So what do you need to do? Simply receive sums of money from account A and transfer these to account B via Western Union, minus a certain percentage which you keep as commission.

Sadly, if something appears to be too good, it’s usually just that. The sums you’re being asked to transfer comes from phishing or other scams; your role is to ensure that the money reaches the scammers and cybercriminals account by a convoluted route. This makes the criminals far less easy to trace, but the transaction you’ve made will be very obvious. By completely such transactions you’ll become what’s known as a money mule, and guilty of money laundering or of aiding and abetting criminal activity. If you get caught, you could face a hefty fine and potentially, a criminal record. So once again, the best way of dealing with these emails is simply to hit delete, no matter how tempting the offer might sound.

Scareware

Imagine this: you’re browsing websites looking for new wallpaper for your desktop. Suddenly a message pops up telling you that your computer is infected with 527 Trojans, viruses and worms. This might seem strange; you’ve got security software on your computer, and it’s not said anything about infections or threats. Maybe it’s not working properly? Or it’s overlooked something?

Once the initial shock passes, you take a closer look at the message. It says you can download new antivirus software that will solve your problem. And best of all, the software is free! Relieved, you take advantage of the offer, download the program and install it. You run the virus scan again manually, only to find that the software has now found even more infections and this time you’re shown a different message: the malware can only be removed by the full version of the product which you have to purchase. A quick look at the website reveals prices between €30 and €80. As the security software you installed initially seems to have let you down, you pin your hopes on the newly-discovered “miracle solution”, but it, and click on “Disinfect”. All the threats seem to be quickly eliminated…. or are they?

This is a scam that’s become well-established; it plays on your fear that your computer is seriously infected. The approach taken by scareware programs of this kind can differ. The most common approach is that while you’re surfing the Internet, you get shown a popup window which appears to be carrying out a scan of your hard drive. It then shows a randomly-generated number of malware infections. A slightly less common approach is called a drive-by-download: you’re surfing an infected website, and a piece of unwanted software gets onto your computer. In the case of scareware, the software would frequently display messages informing you that your machine is infected. Even your wallpaper may get changed to remind you of the infections (which, it should be remembered, don’t actually exist). Changing the wallpaper back to the original image is a challenging task; the option to do this is removed from the settings menu, and although there are other ways to do this, they involve more technical knowledge than many people have. So what initially appears to be a “miracle solution” turns out to be software which doesn’t have any benefits for the user.

However, scareware does have benefits for the cybercriminals: they can make money from selling licenses for this fake security software. Additionally, such fake software often includes clearly malicious software which can be used to gain access to your machine, steal your personal data (which can then be resold) or turn your computer into a zombie machine which can be used to send enormous amounts of spam. Although this last might not seem to be obviously profitable, spammers will pay good money to buy or rent such machines to ensure that their messages are widely distributed – it’s just one more way to make money in the world of cybercrime.

The name scareware is entirely justified; a lot of effort is put into making sure firstly that the messages are convincing, and secondly that the scareware programs themselves look genuine. In addition, such programs often have names which sound similar to the names of legitimate security applications. This all helps to initially lend the scam an air of respectability which can fool even more experienced Internet users. So what should you do? Make sure you’ve got a reputable antivirus solution installed. If you start seeing messages like this, don’t be frightened, and certainly don’t buy the software on offer. Use your current security solution to run a full system scan.

Buyer beware: the danger of hidden subscriptions

These days, freeware – software which you don’t have to pay for – is available for almost every purpose imaginable. There’s something for everyone – games, media players, instant messenger clients etc – and a number of places where you can these programs. Let’s say you’re looking for new software for office purposes – word-processing, spreadsheets, etc. You run a search, and your search engine gives you a large number of options. The first sounds promising; a website that’s got the files you need, and it appears to be legitimate, so you click without giving it any further thought. However, before you can download what you want, the site requires you to register by entering your name, address and a valid email address. Although you think this is a bit unusual, you’ve heard of download portals where you have to register in order to benefit from the full download rate. So, a little irritated, but well-versed thanks to having registered with various online shops, social networks and forums in the past, you enter the requested data in the fields provided. You quickly activate the checkbox indicating that you agree with the terms and conditions; you don’t bother actually reading these, because after all, they’re always the same. A moment later, you’re happily downloading the program you need.

But a little while later you get a nasty shock in the form of an email demanding that you transfer Euro 96. In agreeing to the terms and conditions, you’ve taken out a 2-year support subscription. If you don’t pay up, legal action will follow.

It’s estimated that 10 to 20% of victims pay up. However, you shouldn’t let yourself be intimidated by threats of this kind. This type of scam attempts to extract money by playing on people’s fear of the law. After all, you know that you didn’t read the terms and conditions (perhaps because you realized you had little chance of understanding them, or perhaps because you’ve never heard of any negative consequences). If you get an email like this, do some research: try and find similar cases on the Internet, or call your lawyer. It’s likely that the threat either has no legal force, or will remain just that – a threat – because the cybercriminals are content to get money from the 10 – 20% of victims that do pay up.

Scams on social networking sites

Young people in particular are attracted by social networks such as Facebook or MySpace. These sites means you can keep in touch with existing friends, exchange information, and also search for new friends.. However, there are also social networking sites for older users; you can use these to make and maintain business contacts or search for old school friends.

Whatever site you use, there are dangers here as well. Suppose a close friend asks you for help – you’ll probably say yes immediately. Now transfer this situation to a social networking site. A friend sends you a message on the site telling you he’s stuck at Heathrow, has been robbed and threatened with a weapon. Now he’s got no money, credit card or plane ticket, and he asks you to transfer $400 via Western Union so he can get home. You might hesitate a bit; why does the money have to go by Western Union? Your friend insists this is the only way that he can access the money. You ask if you can call him, but apparently the thieves have stolen his mobile phone as well. You gradually become more and more suspicious – your friend seems to be behaving in a peculiar way, and he’s using words and phrases you’ve never heard him use before. Maybe that’s just because he’s in such a stressful situation. Since you’re worried about your friend, and you don’t want to have a bad conscience, you eventually transfer the money. And then you don’t hear from him again.

So what’s actually happened? This type of scam is currently very popular and very effective because it’s relatively unknown. The explanation is quite simple: cybercriminals have gained access to your friend’s account and are trying to get money from all his contacts. If you use social networks a lot, you could have hundreds of friends, and you won’t always know where each person is, which makes the story more believable.

However, there are also clear signs that fraud is being attempted in the case described above. A European stuck in London would hardly ask another European for US dollars. The same applies to the language and phrases used. If you get a message like this, make sure you contact your friend directly. Even if he says in his message that his mobile has been stolen, try calling it: you’ll be pleasantly surprised when he picks up the phone, and not only will you get to chat to him, you’ll also make sure that the message you received was not genuine.

If you want to protect your own social network account(s) from being abused in this way, you just need to follow a few simple rules. One possible way of securing your account relates to the method for resetting your password. When you register on a social network, you often have the option of answering a “secret question”. If you forget your password, you can generate a new one by entering the answer to the question. Usually, you can only choose from three “secret questions”, which are very general – for instance, the name of your pet, or the first school you attended. If you’ve included any of this information in your profile or on your page, accessing your account will be child’s play.

In order to make your account more secure, remember that you can modify the question and answer at any time. Make sure you keep your login and password to yourself. Additionally, make sure you don’t fall victim to phishing attacks (described above) and use an up-to-date antivirus solution: this will keep your computer clean of Trojans which might steal your password and send it on to cybercriminals.

Twitter – the dangers of short URLs

Since 2006, Twitter has grown enormously. More than 25 million users want to know the answer to the site’s slogan “What are you doing?”, Twitter is a social network with a difference – the micro-blogging format limits messages to 140 characters, and this makes it difficult to include URLs which would take up a good 50% of the available characters. And this is where less well-known Internet services come in: ones which convert long, convoluted addresses into a significantly abbreviated form. These URL shortening services have their drawbacks: it’s difficult to tell where a short, cryptic URL actually leads, and this means that transparency suffers.

Cybercriminals have seized this opportunity, and use these services to convert addresses leading to infected websites into short form. Such messages can be spread automatically, and promise the truth about some sensational news, such as the death of a celebrity (e.g. Michael Jackson). When there’s no sensational news, the cybercriminals just invent something – for instance, the supposed death of Britney Spears was widely broadcast on Twitter, even though the singer was alive and well.

Such messages containing links to infected sites are simply a more evolved version of email scams – they’re trying to take advantage of your curiosity. Unfortunately, this type of cybercrime shows that short URLs simply can’t be trusted. You can protect yourself by using add-on tools: for instance, a popular plug-in for Firefox will reconvert a short URL to the original format when you hold your mouse cursor over the link. This gives you a good idea if the link leads to a reputable site or not.

Films, games, music…and malware

If you’re new to the Internet, the first things you might look for are films, music, TV programs or computer games. Apart from the legal aspects of downloading such content – which have been extensively detailed by others – there are other issues to consider. If you’re looking around for content like this, you might think that so-called peer-to-peer networks offer the quickest route. So you download a program which will help you access the network and start helping yourself to what you want. Although you might have read somewhere that these files might come with malware attached, you just ignore this. However, you do this at your own risk.

For instance, games available for download often contain crack tools which can be used to circumvent copy protection. These tools are provided by hackers, either because they believe that all content should be free, or because they want to make an impression on the hacker scene. And download files may come with associated malware; cybercriminals know there’s a big market for free content, and by disguising their malware as popular files, or adding their malware to popular files, they’re increasing the number of potential victims. For instance, a banking Trojan might come with a game download – although young people rarely use online banking, the computer they download the file too might belong to their parents, who regularly check their account online. This approach therefore kills two – or more – birds with one stone.

The chance of downloading malware via a peer-to-peer network is relatively high. So while illegally downloading a game or film may save you the purchase price, downloading a Trojan designed to steal your banking details could cost you hundreds of Euros, which quickly puts any anticipated financial gain into perspective. There’s no doubt here that honesty is the best policy.

Conclusion

Cybercriminals are very creative and are constantly adapting their scams as new Internet technologies and applications evolve. Mostly, this is a case of old scams being recycled to target new media. The best example of this is the classic spam message which contains a link to a malicious website. By now, lots of people know that you should never click on a link in an email from an unknown sender. However, when their approach was adapted to messages sent via social networking sites, the number of people who clicked increased enormously.

A few years ago, the design of a website could make it clear that the site was a fake: spelling mistakes, poor layout, etc. Now, however, cybercriminals have become far more sophisticated. If you suspect a scam, use a search engine to try and uncover further information; if there is a scam involved, other victims will probably have written about it. Search suspicious sites for contact information, and then verify this against other sources.

Finally, use your common sense. As stated above, anything that looks too good to be true probably is. If something sets alarm bells ringing, pay attention to your Internet instincts. A healthy dose of scepticism will go a long way in helping to protect you against fraud and scams: a reputable security solution and up-to-date software will take care of everything else.

I was recently asked by Don over at EH-Net if I would be interested in reviewing a new book by Thomas Wilhelm of Heorot.net: ‘Professional Penetration Testing: Creating and operating a formal hacking lab’. Naturally I jumped at the opportunity.

I don’t want to discuss the book in too much detail here, as you can read the full review at Ethical Hacker here, but the book is a great addition to my home library. Don also worked his magic to convince the publisher to release a chapter from the book free of charge, chapter four covers the initial setup and configuration of hack lab environment, and can be downloaded from the review.

Hope the review is of use to someone out there, thanks to Thomas for writing the book in the first place and to Don for hooking me up with the review.

– Andrew Waite

What are Anonymous Proxies?

Circumventors, shadow surfing, anonymizers, proxy avoidance – call them what you will, anonymous proxies have been with us for about as long as we’ve been filtering the web. What they provide is simple – online anonymity. This may be a lifeline for political dissidents in countries where censorship is a problem but it is also a major problem for educational establishments and organizations who need to safely control and monitor their users’ web access. In basic terms, anonymous proxies are simply proxy servers – they pass users’ web requests onto other servers on the Internet. They help students to sidestep school security by allowing them to browse secretly through them – and view banned online content within them – without disclosing the URLs they visit to filtering products.

Why is Proxy Abuse a Problem?

There are now millions of proxies in existence with miscreants changing URLs and developing new ones far faster than security vendors can hope to block them. The proliferation of proxies is already well beyond the control of URL based filtering products and although keyword-based filters will catch sites with ‘proxy’ in the title, most have legitimate-sounding names like examstudies.com.It only takes one proxy to put a gaping hole in your network security. Using a web filtering solution that doesn’t block proxies is the equivalent of putting a big bolt on your front door but leaving the back door wide open.

How do students know/find out about proxies?

As with most things, the first port of call is the web. Try entering “unblock myspace” into Google – the results run to hundreds of thousands of sites, all offering the same thing – anonymous browsing. ‘Backdoor’ URLs are passed quickly from student to student with some proxy sites even offering to send daily updates on the newest and hottest proxy sites via email or text message. There are also plenty of step by step videos on YouTube showing students how they can use proxy tools to bypass school ! lters. These are the very skills that we don’t want our children to learn in school – digital lockpicking and worldwide web breaking and entering.

Different types of proxy and how to defend against them:

–>Web-based Proxies

Web-based proxies work entirely through a web browser and use server-side software such as CGIProxy, Glype, PHProxy and other custom scripts. All students need do to use these sites to surf anonymously is enter the web addresses they wish to browse to in the box provided (usually on the home page). URL or keyword-based filters may block some of these but the only way to reliably prevent access is to employ an intelligent filter that is capable of detecting – and accurately blocking the characteristic signatures or patterns of proxies, as SmoothWall’s School Guardian web filter does (see below diagrams).

–>Open Proxies

These are HTTP or SOCKS proxy servers that are open and accessible via the Internet. Most require users to reconfigure their browser settings to use them and so can be easily blocked with simple firewall rules. These rules can also prevent the use of Firefox or other browsers via USB sticks and other portable data storage devices.

–>Secure/SSL Proxies

SSL proxies use HTTPS connections which allow users to secretly view illicit material (including media files) within a secure tunnel where content is encrypted. URLs visited via SSL proxies don’t appear on logs and so IT staff are often unaware of the extent of their problems with the secure variety of these proxy pests. URL and keyword based filters are an utterly futile defense against SSL proxies. Even some so-called ‘third-generation’ filters aren’t intelligent enough to provide proper protection. Some offer the option of blanket blocks on all HTTPS traffic – but this is
far from practical since secure transactions often need to be made in the daily business of running a school. A whitelist of authorized HTTPS sites is a better option but will still result in over-blocking complaints, due to the sheer number of sites now using SSL encryption. To accurately defend against SSL proxies, filters need to be capable of inspecting and validating SSL certificates (few proxies have valid ones) and ideally decrypting and inspecting all incoming and outgoing HTTPS traffic, to make signature and content-based filtering possible again.

–>Proxy Networks (e.g. TOR)

Various proxy networks exist (TOR is the best known example) that use layered encryption (also called “onion routing”) and peer-to-peer networking to allow their users to communicate anonymously with each other. Most rely on end-users to donate bandwidth and other resources to the network. Because the servers used are not controlled, some are operated by malicious individuals – who use them to distribute malware and other web nasties and intercept traffic. To defend against the use of proxy networks requires a combination of firewall rules, web filtering rules and local policy settings.

–>Proxy Software Applications

Some subscription-based services offer client-side application software to automatically configure your browser’s proxy settings. Most are simply open proxies dressed up with a fancy interface but some use HTTPS connections to outwit less intelligent filters and are hence becoming popular options for students. One of the most popularly used applications (Ultrasurf ) is a free 100kb download. Blocking downloads and denying installation rights to anyone but administrators helps to prevent their use. Several of the prevention methods listed above for other types of proxies also work on application-based proxy tools.

Who makes proxies and why?

Proxies require a lot of bandwidth to host. This bandwidth costs money, sometimes quite a lot. So who is hosting these proxies, and who is footing the bill? A few proxies are hosted by technically-adept students, bypassing their school filters, and limiting the use to a select group of their peers. Frequently these types of proxy are hosted on a home broadband connection, but with a handful of users, that’s no problem. These are the only truly ‘free’ forms of proxy and they can also be pretty tricky to block – URL list-based filters will almost never catch them! Public web proxies on the other hand (the most common type) can eat their way through many gigabits of bandwidth. The cost of this is usually offset by placing pay per click adverts on the proxy page. Revenue is miniscule, but with many hits, it all adds up. Of course, the proxy owners have to advertise too – top proxy lists are
one way of doing this, but sometimes legitimate ads are placed as well. Some software-based proxies charge a fee but the majority are free and don’t carry any ads. Since it is highly unlikely that the creators are magnanimously footing the hosting bills, these proxy services will undoubtedly be selling on browsing habits, injecting ads or unwanted text, and even pushing malware.

Proxy abuse – what are the risks?

–>Legal risks

Internet security standards at a school in Kent were recently exposed on the BBC news after the mother of one young boy complained that her son had returned home with a printout of a pornographic image obtained via school computers. The head was forced to send letters home to all parents regarding the matter and suspend Internet use until the security standards were improved. Although schools are not yet facing lawsuits for security breaches of this type, it is only a matter of time before a protective parent decides to prosecute.

In the US, schools must comply with the Children’s Internet Protection Act (CIPA), a federal law enacted by Congress in 2000 to protect children using school, college and library computers from offensive Internet content. All obscene, harmful and pornographic content must be blocked and all student web use monitored. Institutions that fail to comply risk losing e-rate funding (special Government discounts designed to make telecommunications and Internet access more affordable for schools).

–>Cyberbullying

Anonymous proxies are also popular with cyberbullies, who need them to cover their tracks so they can taunt teachers and students with impunity. Proxy tools help them to keep their online activities off the radar so they can remain unidentifiable and escape punishment.

–>Malware

Not only do proxy sites give students unfettered access to the content you are attempting to block, they also help malware and other web-related threats to sneak into networks undetected. SSL proxies are a particular problem since the secure tunnels used allow malicious viruses and worms to sidestep firewall and web filtering security entirely.

–>Phishing and password theft

Many students who use proxies are also unaware of the risks to their own personal security and identity. Malicious proxy servers do exist and are capable of recording everything sent to the proxy, including unencrypted logins and passwords. Although some proxy networks claim to only use ‘safe’ servers, due to the ‘anonymous’ nature of these tools, proxy server safety is impossible to police. Students should be educated to understand that whenever they use a proxy, they risk someone “in the middle” reading their data.

Other tips to prevent proxy abuse

• Educate teachers to recognise illicit surfing or proxy abuse and report it to the IT department
• Educate students about the danger of using proxies.
• Allow slightly more lenient filtering outside of core hours
• Make sure your AUP covers anonymous proxying and that both students and teachers are familiar with its content. Make it clear that proxy abuse can be tracked to individuals.

An independent security consultant publicized this week the details to a critical flaw in the server message block version 2 (SMB2) component of Microsoft’s Windows Vista, Windows Server 2008, and the release candidate for Windows 7.

:-p

The researcher, Laurent Gaffié, claimed in his advisory that the vulnerability causes a Blue Screen of Death, a pernicious crash on Windows system, but other researchers have subsequently concluded that the flaw is actually remotely exploitable, a more serious issue.

Microsoft acknowledged the flaw on Tuesday in an advisory. The flaw does not affect the latest version of Windows 7, Windows Server 2008 R2, nor Windows XP, the company stated. Microsoft took the researcher to task for disclosing the information before it fixed the security issue.

Yet, Gaffié argued that the disclosure was fair. The software company should have done more software quality assurance (SQA) on the networking components, he said in an e-mail interview with SecurityFocus. If they did, they would have easily found the issue — it took his fuzzer only 15 packets to crash the component, he said.

“So I personally think  the one who has been irresponsible is Microsoft for shipping this driver on any Server 2008, Vista, and Windows 7 (system) without doing any SQA and security review,” he responded.

Gaffié said he notified the company, but had a typo in the e-mail address.

The flaw was disclosed on Monday, the day before Microsoft’s regularly scheduled patch day. The software giant issued five patches for eight vulnerabilities, including three flaws in the company’s TCP/IP networking stack. Other flaws affected Windows’ Javascript engine and its Windows Media components.

While Microsoft has not released a fix for the issue, the software giant recommended that administrators disable SMB version 2 or block the specific TCP ports (139 and 445) used by the file-sharing feature.